---
title: npm Security Policy
edit_on_github: false
---

Outlined in this document are the practices and policies that npm applies to help ensure that we release stable/secure software, and react appropriately to security threats when they arise.

## Table of Contents

1. [Reporting Security Problems to npm](#reporting-security-problems-to-npm)
1. [Security Point of Contact](#security-point-of-contact)
1. [Critical Updates And Security Notices](#critical-updates-and-security-notices)

## Reporting Security Problems to npm

If you need to report a security vulnerability. Please visit [https://npmjs.com/support](https://npmjs.com/support). If your issue is specific to your account, such as lost credentials or problems with two-factor authentication, contacting [our support team](https://npmjs.com/support) is more appropriate.

We review all security reports on the next business day. Note that the npm staff is generally offline for most US holidays, but please do not delay your report! Our off-hours support staff can fix many issues, and will alert our security point of contact if needed.

## Security Point of Contact

Any security tickets opened using [https://npmjs.com/support](https://npmjs.com/support) will be escalated to the security point of contact, who will delegate incident response activities as appropriate. This is the best and fastest way to contact npm about any security-related matter.

## Critical Updates And Security Notices

We learn about critical software updates and security threats from a variety of sources:

- Ubuntu's security notices page: [https://usn.ubuntu.com/](https://usn.ubuntu.com/)
- The Node.js mailing list.
- [Security tickets](https://npmjs.com/support) sent to us.
- and other media sources.

## Changes

This is a living document and may be updated from time to time. Please refer to the [git history for this document](https://github.com/npm/documentation/blob/main/content/policies/security.mdx) to view the changes.

## License

This document may be reused under a [Creative Commons Attribution-ShareAlike License](https://creativecommons.org/licenses/by-sa/4.0/).
